Mist - Bring Your Own AWS
- Aaron Benz
README
This package deploys all resources needed to support Mist event consumption. This configuration is designed to allow an institution to launch their AWS stack to capture logs coming from Mist, de-identify it within the institution's systems, and then forward to Degree Analytics for continued processing.
Cloud Formation Stack:
Current Lambda URI: 352676346183.dkr.ecr.us-east-1.amazonaws.com/school-event-handlers:mist_school_lambda_20250127155052_prod
Current API URI: 352676346183.dkr.ecr.us-east-1.amazonaws.com/school-event-handlers:mist_school_api_prod
┌───────────────────┐
│ API Client │
│ (external user) │
└─────────┬─────────┘
│ (HTTPS)
▼
┌───────────────────┐
│ API Gateway │
│ (Public Entry) │
└───────┬───────────┘
│
(Optional) ───┼───> [ AWS WAFv2 ]
│
┌───────────┴────────────┐
│ Custom Authorizer │
│ (Lambda checks headers)│
└───────────┬────────────┘
│ "Allow" / "Deny"
▼
┌───────────────────┐
│ VPC Link │
│ (private conduit) │
└─────────┬─────────┘
│
▼
┌─────────────────────────────────┐
│ Internal ALB (HTTP:80) │
│ (in private subnets, no public │
│ IP; reachable only via VPC) │
└───────────┬────────────────────┘
│ forwards to ECS tasks
▼
┌─────────────────────────────────┐
│ ECS Fargate Service │
│ (Container w/ your app) │
└───────────┬────────────────────┘
│
│ [writes to Kinesis]
▼
┌────────────────────────────┐
│ Kinesis Stream │
│ (on-demand, KMS-encrypted)│
└────────────┬───────────────┘
│ (event source)
▼
┌────────────────────────┐
│ Lambda (container) │
│ "ProcessWifiEvents" │
└────────────────────────┘Prerequisites Checklist
IAM User Arn
User ARN: The person deploying this stack must have their IAM User ARN shared with Degree Analytics, so Degree Analytics can grant access to the container images. Ensure this user or the role they assume has CloudFormation and IAM permissions to create and modify resources (ECS, ALB, Kinesis, Lambda, API Gateway, etc.).
VPC & Subnets
VPC with at least two private subnets, two public subnets in different Availability Zones (for the ECS tasks and the internal ALB), and a NAT gateway for the private subnets.
Secrets Manager
Existing Secret: Create a Secrets Manager secret containing the required keys. For example:
{ "mist_api_key": "...", "da_api_key": "...", "deidentify_secret": "..." }
Checklist:
Secret ARN: Copy the ARN of this secret. You’ll pass it to the stack as ExistingSecretArn.
Env: dev or prod.
VpcId: e.g., vpc-123abc.
SchoolId (Get this from DA)
PrivateSubnetIds: Comma-delimited subnets for ECS tasks and ALB.
ExistingSecretArn: ARN of the secret from Step 3.
ApiImageUri and LambdaImageUri: The Docker image URIs for ECS and Lambda, respectively.
user_arn (to share with Degree Analytics): The IAM user or role that needs pull access to the images.
(Optional) WAF ARN
If you want to attach an existing WAF Web ACL to the API Gateway stage, note its ARN. If not, set this parameter to None.
(Optional) Health Monitoring ARN
If you have an SNS topic (or another endpoint) for alarms (4XX, 5XX, memory utilization, etc.), have that ARN ready. Otherwise, None.
Once these items are in place, you can deploy the CloudFormation stack with confidence.
Wrapping Up
You can find your HTTPS URL in the output section of the Stack, or by going to the API Gateway directionally and looking at the prod stage. Should look something like this:
Append the URL so that it is the {url}/api/v1/mist/events - this will be used to create the Mist Webhook. In Mist, go to Organization and select Settings
Then Add Webhook
Enter the URL, and make sure to provide the same secret as the mist_api_key from earlier as seen in the image below
